Early this morning I have landed in Munich, Germany, to attend meetings with my team and customers. Well, when I say, ‘I have landed’, actually it was the wonderful pilots that landed the plane safely. The landing took place after a little more than normal turbulence occurred, which got me thinking – what is makes a flight successful? What is the critical infrastructure behind it? What are the components of successful critical infrastructure protection?
To borrow a great definition from Wikipedia, Critical Infrastructure is a term used by governments to describe assets that are essential for the functioning of a society and economy – the infrastructure.
What is the common theme for each one of the major market definitions included in Critical Infrastructure? Each one has its own Operational Technology (OT) requirements for safety and operations. It’s important to remember that OT does not come store-bought and cannot be purchased like you and I buy our phones or fridges. Purchasing for OT has one priority above all – safety then functions. A close second is time – at home, you install or buy major components like heaters, coolers, or other electrical devices, expecting a life cycle of 10 to 20 years out of them. Obviously, it requires you to do regular maintenance, but this usually does not include a lot, if any, software updates…
This is the same for major components in Critical Infrastructure protection. Turn the device on, and let it run, safely. Businesses operating this kind of technology, like the aforementioned planes, have very mature processes to ensure availability of service and the longevity to keep the plane flying, but there are still major maintenance requirements.
Some things to think about when interacting with Operational Technology (OT):
- Segmentation increases safety;
- Reduces “access” in the probability portion of a risk equation;
- Needs context of device type, flow, and what is known to be healthy. The challenge some OT technology might only run once a month, or once a quarter;
- Visibility is as passive as possible – highly sensitive technology without mature protocol stacks. It’s still very achievable, even getting you healthy insight into complex vendor-specific protocols and processes.
Visibility is critical in critical infrastructure protection. You need to get as low and close to the edge as possible, then overlay with an eye to segmentation will vastly improve the risk profile for your organization.